Mariano Peruzzotti September 16 2022 New draft bill on personal data protection in Argentina Ojam Bullrich Flanzbaum | Tech, Data, Telecoms & Media - Argentina Mariano Peruzzotti Tech, Data, Telecoms & Media IntroductionLegislative historyKey changesCommentIntroductionA new draft bill on personal data protection was officially released on 12 September 2022. The Argentine Agency of Access to Public Information – the supervisory authority of the Argentine Data Protection Law (DPA) – had recently initiated the process aimed at reforming the personal data protection regime (for further details please see "Prospective new data protection bill in Argentina"). Now, individuals and organisations may submit their comments to the draft bill, which is open for consultation until 30 September 2022.Legislative history 22 years ago, the Personal Data Protection Law No. 25,326 (PDPL) was passed and was later complemented by Regulatory Decree No. 1558/2001 and several resolutions, rules and guidelines issued by the DPA. While no substantial amendments have been introduced to the text of the PDPL since its enactment in 2000, Argentina meanwhile joined:Convention No. 108 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data; andConvention 108+ (ie, the protocol amending the Convention No 108), which is still pending ratification by Congress.In August 2022, the head of the DPA held several meetings with different stakeholders, such as:associations related to personal data protection;privacy professionals and experts; andformer DPA directors.On 12 September 2022, the DPA published in the Official Gazette Resolution 119/2022, which released the draft bill. The most relevant changes proposed by the draft bill are set out below.Key changes In many ways, the draft bill follows the provisions of the EU General Data Protection Regulation (GDPR). The following are some of the most relevant changes that the draft bill proposes.DefinitionsNew terms have been introduced to the list of definitions, including:consent;international data transfer;genetic data;biometric data;anonymisation;pseudonymisation;profiling;controller;processor;representative (similarly to article 27 of the GDPR);third parties; anddata protection officer.Data subjectUnlike the PDPL, the draft bill only covers the personal data of individuals excluding the information of legal entities.Territorial scopeFollowing the GDPR and other similar regulations such as the Brazilian General Data Protection Law, the draft bill will apply to organisations outside Argentina if they offer goods or services to, or monitor the behaviour of persons in Argentina, among other things.PrinciplesData minimisation and accountability are introduced as data processing principles.Legal basisThe draft bill provides that the processing of personal data will be lawful where one of six grounds is fulfilled, which include legitimate interest. Pursuant to the PDPL, the only legal basis is consent (with a limited number of exceptions to the consent rule).Sensitive dataAdditional legal bases are introduced for the processing of sensitive personal data. The draft bill includes the criteria of enhanced liability when processing this kind of information.ChildrenThe draft bill provides special protection for children and sets forth specific rules for protecting children's personal data when processed in the context of information society services. Children under 13 must obtain their consent of a parent or guardian.Security incidentsThe draft bill imposes the obligation to notify data breaches to the DPA without undue delay and within 48 hours of becoming aware that the breach is likely to result in a risk to the data subjects' rights. Data subjects must also be communicated of the breach if this is likely to result in a high risk to their rights.Cross border data transferThe draft bill clarifies the provisions on international data transfer that will be allowed when:the third country ensures an adequate level of protection for the personal data, as determined by the DPA;the exporter provides appropriate safeguards on the data processing conditions (such as the case of standard contractual clauses, binding corporate rules or certification mechanisms); ora transfer fits within one of the derogations for specific situations (including consent).Data subject's rightsNew rights are added to the current list provided for in the PDPL (information, access, rectification, update, removal and withdrawal of consent), including the right to:data portability;not be subject to automated decision making (or profiling); andobject.The time limit to respond to a data subject's request is 10 business days.Data protection impact assessmentWhere the controller is considering conducting a type of data processing that – based on the nature, scope, context and purposes – is likely to result in heightened risk to the rights of data subjects, an assessment of the impact of the envisaged processing must be carried out. Like the GDPR, the draft bill lists the cases where such assessment is mandatory and sets forth the minimum content that it shall contain. Prior consultation with the DPA is mandatory if the result of the DPA reveals a high risk to the data subjects' rights.Data protection officerThe appointment of a data protection officer is mandatory in specific situations and voluntary in the remaining cases. The draft bill describes the position, qualifications, requirements and tasks for this role. A group of undertakings may appoint a single data protection. The role can be covered by a staff member or by a provider.RepresentativeIn line with the GDPR, a representative must be appointed by foreign controllers and processors that are covered by the provisions of the Argentine law considering the rules of territorial scope.National registryControllers and processors that must appoint a data protection officer, as well as those that have to designate a representative, will need to be registered with the DPA. No further database registration will be required.FinesThe amount that companies can be fined was increased considerably, and this amount will be updated annually.Grace periodCompanies will have one year to adjust their proceedings to the new requirements of the draft bill.CommentComments on the draft bill may be submitted until 30 September 2022. After that date, it is expected that a new text will be released before introducing this initiative to Congress.The Spanish version of the draft bill can be consulted here.For further information on this topic please contact Mariano Peruzzotti at Ojam Bullrich Flanzbaum by telephone (+54 11 4549-4900) or email ([email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.